1 / 28

L ITE W ORP : A Lightweight Countermeasure for the Wormhole Attack in Multihop Wireless Networks

L ITE W ORP : A Lightweight Countermeasure for the Wormhole Attack in Multihop Wireless Networks. Issa Khalil, Saurabh Bagchi , Ness Shroff Dependable Computing Systems Lab (DCSL) & Center for Wireless Systems and Applications (CWSA) School of Electrical and Computer Engineering

domani
Download Presentation

L ITE W ORP : A Lightweight Countermeasure for the Wormhole Attack in Multihop Wireless Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LITEWORP: A Lightweight Countermeasure for the Wormhole Attack in Multihop Wireless Networks Issa Khalil, Saurabh Bagchi, Ness Shroff Dependable Computing Systems Lab (DCSL) & Center for Wireless Systems and Applications (CWSA) School of Electrical and Computer Engineering Purdue University

  2. Outline • Introduction • What is the wormhole attack? • Wormhole attack against DSR and TinyOS beaconing • Wormhole attack modes • Motivation • Related work • LITEWORP protocol description • Conclusion & take away lessons

  3. What is the Wormhole Attack? • Colluding nodes tunnel packets received in one place of the network to a distant location where they are replayed • Can be launched without having any cryptographic keys • Puts the attacker in a powerful position to play havoc with the traffic • Insinuate attacker in a route and then manipulate data traffic • Example: Selectively drop data packets • Routing disruptions • Example: Prevent discovery of legitimate route • Traffic analysis • Example: Observe traffic patterns as a way of leaking information

  4. Wormhole Attack Against DSR • S has two routes to D • SABCD (4 hops) • SXYD (3 hops) • S selects the shortest available route B C A D S Y X

  5. Wormhole Attack Against TinyOS Beaconing • Sensors collect data and forward it to the base station • TinyOS beaconing for routing • Tree routing rooted at the base station • Used in TinyOS for Berkeley motes • Attacker tunnels packets to a colluding party • The colluding party replays them • Most packets will be routed to the wormhole • The attacker can drop packets or more subtly, selectively forward packets to avoid detection

  6. How Wormhole Attack can be Launched? • The wormhole attack can be launched by many different ways • Wormhole modes differ in the level of sophistication needed by the adversary • We study five different wormhole attack modes, namely • Mode 1: Packet encapsulation • No specialized hardware • At least two attacker nodes • Mode 2: Out-of-band channel • Requires specialized hardware • Needs at least two attacker nodes • Mode 3: High power transmission • Mode 4: Packet relay • Mode 5: Protocol deviation W V U X Z S E B Y C D Malicious node Good node

  7. Motivation We need to mitigate the wormhole attack • In resource constrained environments, such as sensor networks • In particular, needs to limit communication overhead to conserve bandwidth and energy • Without the use of specialized hardware • Existing approaches do not address all the modes of the wormhole attack • Not just detect the attack but also perform response action

  8. Previous Countermeasures of the Wormhole Attack • Packet Leashes • Geographical Leashes • Requires location determination (e.g. GPS H/W) • Require loose time synchronization • Attach Ps and ts and limit the distance based on Pr and tr • Temporal Leashes • Require tight time synchronization • Uses ts and tr and the speed of light to limit the distance traveled by the packet • Problems • Inaccurate due to unpredictable processing time and channel availability • Expensive (GPS or tight time synchronization) • Does not provide diagnosis and isolation • Can not prevent DoS attacks against route establishment • Directional antennas • Requires specialized hardware (e.g., directional antenna) • Fail to mitigate most of the modes of the attack

  9. Outline • Introduction • Motivation • LITEWORP protocol description • Assumptions and attack model • Neighbor discovery • Local monitoring • Local response • Example of wormhole attack mitigation using LITEWORP • Conclusion & take away lessons

  10. Assumptions & Model • System assumptions • Existing key distribution mechanism • Static networks • Bi-directional links • A node cannot be compromised instantly • Attack-free environment during the deployment phase • Attack model • Links may be subjected to eavesdropping and message tampering • Attacker can replace a compromised node by a more powerful network entity, and can establish out-of-band fast channels • External adversary nodes • Internal adversary nodes aka compromised nodes • Byzantine behavior • Arbitrary Collusion • Brute force denial of service attacks are not considered

  11. B, C, … , Z R1 KAB KAC KAZ Neighbor Discovery • Build a secure list of first and second hop neighbors • Started as soon as a node is deployed in the field • Used in local monitoring • Build a list of one-hop neighbors, R1 • Each node sends out clear-text one-hop HELLO broadcast • Each neighbor sends authenticated unicast reply • Build list of second hop neighbors, R2 • We use one-to-one authentication broadcast • Saves communication over multiple authentication unicast A R1=[A||C||Kcommit],E(KBA,R1),E(KBC,R1) B R1=[A||C||Kcommit],E(KBA,R1),E(KBC,R1) C

  12. Local Monitoring • A collaborative detection strategy in which a node monitors the traffic going in and out of its neighbors. • Requires each node to include the ID of the prev-hop in the forwarded packet • A guard of a node A for the link from X to A is any node that lies within the transmission range of both X and A • M, X, and N are the guards of node A for the link from X to A • A guard saves information about incoming packets in a watch buffer • Matches an output packet with information in buffer A X Y M The transmission range of node Y A B X D S N

  13. Local monitoring: Details • Local monitoring can be used to detect different kinds of control attacks by changing the information maintained in the buffer and the kind of checking that goes on • The different kinds of malicious activity that can be done by a node • Fabrication • Modification • Delay • Drop • Correspondingly the kind of checking that needs to be done are: • An outgoing packet that has no corresponding incoming info • Difference between the incoming and ingoing packet fields • Forwards after a threshold time • Not forwarding within a maximum acceptable timeout threshold A X M A B X D S N

  14. Local Response • Propagate detection knowledge to isolate malicious nodes • When a guard G detects a malicious event by node M • G increments a counter MalC(G,M) • Different malicious activities cause different increments • When MalC(G,M) crosses a threshold • G revokes M • G sends an authenticated alert to the neighbors of M • When N receives an alert about a neighbor M • Collects alert information from multiple guards • When the number of alerts reaches the detection confidence (γ), N revokes M

  15. Outline • Introduction • Motivation • Contribution • LITEWORP protocol description • Wormhole attack mitigation • Detection details • Analytical results • Simulation results • Cost analysis • Conclusion & take away lessons

  16. Detection Using Local Monitoring Attacker goal: including malicious nodes in the route L R P M1 M2 S X Z B N Q W D C A E F Detection strategy All the neighbors of M1 (S,R,P,Z,Q,B) detect this malicious activity, because they know that M2 is not a neighbor of M1 Detection strategy The guards of M1 over the link ZM1, (P,Z,Q) detect this malicious behavior, because they have nothing in their watch buffers about RREP coming from Z Choice#1 M1 claims that the RREP is from M2 Choice#2 M1 claims that the RREP comes from one of its neighbors, say Z These detection approaches require the guards to monitor the route reply (RREP) packets

  17. Detection Using Local Monitoring Attacker goal: disrupting route establishment L R P M2 M1 S X Z B N Q W D C A E F Choice#1 M2 claims that the RREQ comes from M1 Choice#2 M2 claims that the RREQ comes from one of its neighbors, say X Detection strategy All the neighbors of M2 (X,L,N,D,W) detect this malicious activity, because they know that M1 is not a neighbor of M2 Detection strategy The guards of M2 over the link XM2, (N,X,L) detect this malicious behavior, because they have nothing in their watch buffers about RREQ coming from X1 These detection strategies require the guards to monitor the route request (RREQ) packets, which are more in number than the RREP packets and incur more overhead

  18. Analysis: Detection Coverage Due to collision the following may occur • Missed detection: A malicious event goes undetected • Collision at the guard (G) when the node (D) transmits • False detection: A normal event is detected as a malicious event • Collision at the guard (G) when the sender (S) transmits a packet • Detection at the guard when the monitored node (D) forwards the packet X G G missed the packet sent by S G falsely accuse D G Missed the fabrication of D D S

  19. Analysis: Detection Coverage  • Node density = 20 • As the detection confidence increases, it becomes more difficult to get an alert from all the monitors

  20. Detection Coverage … • The detection confidence = 3 • Initial increase due to more available guards • Then decrease due to collision

  21. Analysis: False Detection • The detection confidence = 3 • Initial increase due to increasing the number of possible guards which makes it easier to get more than γfalse alarms (correlated collisions) • Decrease due to collision

  22. Simulation Results • The relationship between number of malicious routes and number of dropped packets is not linear due to the aggressive nature of the wormhole • Over time, LITEWORP results levels off to zero since malicious nodes are isolated • Over time, base case results stabilize to a certain value depending on the number of the malicious nodes A snapshot at T =2000

  23. Simulation Results • LITEWORP packet drop stabilizes with time since malicious nodes are identified and isolated • Base case packet drop continues to increase steadily with time # packets dropped w/ LITEWORP # packets dropped w/o LITEWORP

  24. Simulation Results • The isolation latency is not very significant even for high confidence index value

  25. Cost Analysis • Memory • Number of nodes involved in monitoring a route reply • The number of replies a node is involved in per unit of time • For example, if N=100 nodes, h = 4 hops, and f = 1 route every 4 time units, then NREP = 17, and each node watches only 4 route replies every 100 time units • Computation • Managing a small buffer (add, delete, search) • Bandwidth • Only at startup during neighbor discovery • Upon the detection of a malicious node

  26. Conclusion • Proposed a generic strategy for cooperative distributed detection of the wormhole traffic • Proposed a generic strategy for locally isolating the malicious nodes • Demonstrated the mitigation approach is conservative in resource consumption • Future Work: • Guard scheduling to work with sleep scheduling algorithms • Extension to mobile ad hoc networks

  27. Thanks Questions?

  28. Contributions • Proposed a strategy for cooperative distributed detection of the wormhole attack • Proposed a strategy for locally isolating malicious nodes • Demonstrated that the mitigation approach is conservative in resource consumption

More Related